/
Active Directory SSO

Active Directory SSO

Overview

XCALLY supports authentication through Active Directory (AD) using the LDAP (Lightweight Directory Access Protocol). This integration allows users to log in with their Active Directory credentials (domain username and password).

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It stores and manages information about users, computers, and resources in a hierarchical structure, allowing centralized authentication, authorization, and policy enforcement across the network.

⚠️ Note: This integration is not to be confused with Microsoft Azure Active Directory.


How Active Directory Works

  • Authentication: Confirms that a user or computer is who they claim to be, typically through username and password validation.

  • Authorization: Grants access only to resources the authenticated user is permitted to use.

  • Directory Services: Store data about network entities such as users, computers, servers, and shared resources.

  • LDAP Protocol: AD DS communicates with other systems using LDAP, which provides a standard and cross-platform protocol for directory service authentication.

 

Supported features for Active Directory SSO integration

  1. Account Status Check (Active/Disabled/Locked in AD)
    XCALLY’s LDAP integration does not natively enforce AD account status checks (active, disabled, locked) before granting access.
    This means that, by default, users who are disabled or locked in AD may still be able to log in to XCALLY if their credentials are valid.

  2. Failed Login Validation Against AD (AD Lockout Policy Enforcement)
    XCALLY does not validate every authentication attempt directly against AD. Failed login attempts are handled at the XCALLY application level, not by AD, so AD lockout policies (e.g., block after 3 failed attempts) are not triggered by XCALLY login failures.

  3. Concurrent Session Control (Prevent Multiple Simultaneous Sessions for Same AD User)
    XCALLY’s default behavior for agent logins is to prevent multiple simultaneous sessions with the same credentials. If a second login is attempted with the same agent credentials, the first session is forcibly disconnected.

 

Requirements

  • Before integrating, ensure your XCALLY server is joined to the Active Directory domain.

 

Configuration

To enable Active Directory login in XCALLY, complete the following steps:

  1. Join the XCALLY server to the Active Directory domain

  2. Configure Active Directory connection settings in XCALLY

  3. Enable Active Directory login for Administrators, Users, and Agents

Step1: Join XCALLY server to the Active Directory domain

Follow these steps to configure the XCALLY server:

  1. Use SSH to connect to your XCALLY server

  2. Login with root user

  3. Install required packages for joining to Active Directory (AD) domain

    apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

  4. Use the realm discover command to detect your domain configuration:

    realm discover <domain_name>

    This command retrieves domain details and lists any missing packages needed for enrollment.

  5. An Active Directory administrative user account is required for integrating your XCALLY machine with Windows Active Directory domain. Check and confirm Active Directory admin account.
    When prompted, enter the AD admin password.

    realm join -U <user> domain.name

     

Step2: Configure Active Directory connection settings in XCALLY

After joining the domain, configure XCALLY to connect to AD using LDAP.

Request the following parameters from your AD administrator:

Property

Description

Property

Description

url

Active Directory server to connect to, e.g. ldap://ad.example.com

baseDN

The root DN from which all searches will be performed, e.g. dc=example,dc=com.

domain

Domain of email address, e.g. example.com

Follow these steps to configure the Active Directory:

  1. Use SSH to connect to your XCALLY server

  2. Stop motion application (with root privileges)

service motion stop

 

  1. Login with motion user

su - motion

 

  1. Open /var/opt/motion2/.env and edit the following properties (add it if not existing)

XC_ACTIVEDIRECTORY_STRATEGY=inetOrgPerson XC_ACTIVEDIRECTORY_ADMIN='<admin>' | Example 'cn=admin,dc=example,dc=org' XC_ACTIVEDIRECTORY_PASSWORD='<adminpassword>' XC_ACTIVEDIRECTORY_BASE_DN='<baseDN>' | Example 'ou=user,dc=example,dc=org' XC_ACTIVEDIRECTORY_URL='<url>' XC_ACTIVEDIRECTORY_DOMAIN='<domain>'

 

  1. Initialize environment variables

cd /var/opt/motion2 npm run initialize

 

 

Step3: Enable Active Directory login for Administrator, Users and Agents

The login with Active Directory must be enabled in XCALLY

In the XCALLY web interface, go to: Settings → General → Active Directory SSO Enabled

Enable login for Users and Agents

For Administrators and Users: go to Staff → Users, then enable Login with Active Directory.

For Agents: go to Staff → Agents, then enable Login with Active Directory.

For agents, SSO feature is available for WebRTC and Phonebar Agents.

A User or Agent can successfully log in through Active Directory if their XCALLY username (plus the configured domain) exactly matches their Active Directory username.

Example

Example Setup:

  • Domain: acme.com

  • AD Server: ad.acme.com

Environment File (/var/opt/motion2/.env):

XC_ACTIVEDIRECTORY_BASE_DN='dc=acme,dc=com' XC_ACTIVEDIRECTORY_URL='ldap://ad.acme.com' XC_ACTIVEDIRECTORY_DOMAIN='acme.com'

 

If the agent John Doe has an AD account john.doe@acme.com, and his XCALLY account username matches (john.doe), he can successfully log in using his Active Directory credentials.